It then subsequently registers a download callback which causes the “download” to be uploaded anywhere on the target file system.
It works by registering a beacon with a directory traversal in the IP address field.
Cobalt Strike users cannot change the default value of these pipes without accessing and modifying the source code configuration of Cobalt Strike.
Opening the malware-laced document leads to the download of a Cabinet archive file containing a DLL bearing an INF file extension that, when decompressed, leads to the execution of a function within that DLL. The Cobalt Strike Beacon tool unassumingly pretends to be a web client, just like a browser or an official software auto-updater, and regularly calls home to a designated server using innocent. The exploit delivery mechanism originates from emails impersonating contracts and legal agreements hosted on file-sharing sites.
The earliest exploitation attempt by DEV-0413 dates back to August 18. The Redmond-based tech giant attributed the activities to related cybercriminal clusters it tracks as DEV-0413 and DEV-0365, the latter of which is the company’s moniker for the emerging threat group associated with creating and managing the Cobalt Strike infrastructure used in the attacks.
Microsoft has since rolled out a fix for the vulnerability as part of its Patch Tuesday updates a week later on September 14. “The observed attack vector relies on a malicious ActiveX control that could be loaded by the browser rendering engine using a malicious Office document,” the researchers noted.
“These loaders communicated with an infrastructure that Microsoft associates with multiple cybercriminal campaigns, including human-operated ransomware.”ĭetails about CVE-2021-40444 (CVSS score: 8.8) first emerged on September 7 after researchers from EXPMON alerted the Windows maker about a “highly sophisticated zero-day attack” aimed at Microsoft Office users by taking advantage of a remote code execution vulnerability in MSHTML (aka Trident), a proprietary browser engine for the now-discontinued Internet Explorer and which is used in Office to render web content inside Word, Excel, and PowerPoint documents. “These attacks used the vulnerability, tracked as CVE-2021-40444, as part of an initial access campaign that distributed custom Cobalt Strike Beacon loaders,” Microsoft Threat Intelligence Center said in a technical write-up. Microsoft on Wednesday disclosed details of a targeted phishing campaign that leveraged a now-patched zero-day flaw in its MSHTML platform using specially-crafted Office documents to deploy Cobalt Strike Beacon on compromised Windows systems.